During the weekend I made some tests to simulate an DNS Amplification DDOS attack. sending about 90Mb/s traffic I was able to generate about x.x Gb/s amplified traffic which sent our datacenter offline in seconds.
Now that this kind of attack is getting popular every day Im curious to know best practices to mitigate it. Has anyone had experience mitigating DNS Amplification DOS attack?

----- Edit Possible Workarounds -----

Ask provider to block incoming traffic with source port 53.

(Suggested by @rook) To have big guys like Cloudflare, Akmai or verisign to handle it for you which may cost but can be very effective when the provider is not able to help.

(Suggested by @user24077) To implement Remote Trigger Black Hole Routing/Filtering strategy which for my opinion can be effective but risky because you can end up wasting the complete bandwidth while trying to protect a node or client.

You are allowed to kill a whole datacenter for a stress test? I'm envious. :(
–
thejhApr 1 '13 at 20:29

2

We are allowed to expriment during sundays but it was not my intention to consume the XGb/s bandwidth available in that node of our datacenter. I setup an testing environment with an limit of 300Mb/s on the target server applied several Iptable rules against upd (in fact i blocked UDP totally) and to make sure I put an hardware firewall in front of it. as soon as I start testing from the other datacenter every thing went down.
–
HEXApr 1 '13 at 23:02

3 Answers
3

Ideally you want to prevent these UDP packets from reaching their destination by filtering them at the edge router (which is your provider). Unfortunately not many providers offer this service. Cloudflare uses this method to help mitigate this attack.

Another method is using GEO IP based load balancing. This is the magic behind many CDNs in that, DNS resolves the server closest to you. In a DoS attack this helps distribute the load, and isolate outages to a specific region(s). There is also some elegance in using DNS to help prevent DNS amplification attacks.

Eventually the servers used for DNS amplification will be configured properly. But this solution is likely more than 10 years from coming into fruition.

For most people, using a service like cloudflare or akamai is the best solution.

*Random idea* What about continuously abusing misconfigured DNS servers against themselves? Then admins are much more likely to notice it, and as a bonus, they have less capacity remaining to attack other websites.
–
LucApr 5 '13 at 8:14

@Luc it strikes me as a drop in the bucket. Even setting a ratelimit of 5 responses per second is enough if you rotate your requests between 27 million servers.... Face it, the internet as we know it is too naive.
–
rookMay 9 '13 at 4:28

In the past I have implemented Remote Trigger Black Hole Routing/Filtering techniques on the edge Internet facing routers. This technique has been proven effective, it can be implemented based on either source or destination traffic, here is a link for you to reference if you want to dig further. Easy to implement and cost effective.

Do not place open DNS resolvers on the Internet. Limiting the clients that can access the resolver greatly decreases the ability of an attacker to use it maliciously. This can be accomplished using firewall rules, router IP access lists, or other methods.

Prevent IP address spoofing by configuring Unicast Reverse Path Forwarding (URPF) on network routers. A router configured to use URPF (defined in RFC3074) limits an attacker’s ability to spoof packets by comparing the packet’s source address with its internal routing tables to determine if the address is plausible. If not, the packet is discarded.

Deploy an intrusion prevention system (IPS) device or monitor DNSSEC traffic in some way. Large numbers of outgoing packets with the same target address, especially whose count suddenly spikes, is a good indicator of an active attack. Deploying filters to drop, limit, or delay the incoming suspect packets should lessen the impact of the attack on the local network and attack target. As previously mentioned, Windows DNS servers drop unmatched response packets and log them in performance and statistics counters. It is important to regularly monitor these counters.

It is very important to secure our own DNS servers, because none of us want to contribute to a DDOS attack. But the big risk is not about having an resolver in your network, it is about having possible 27 Million open resolvers world wide sending packets to your network. If you have an open resolver in your network which send 10.000 packets of 3,000 bytes per second (over internet) = 24Mb/s which not a big deal. But if you get hundreds of open resolvers sending 24Mb/s packets per second each then the situation gets serious.
–
HEXApr 1 '13 at 21:51